Skip to main content

Xclarity Administrator CVE-2023-34418

HIGH
SQL Injection (CWE-89)
2023-06-26 psirt@lenovo.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 26, 2023 - 20:15 nvd
HIGH 8.1

DescriptionNVD

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API.

AnalysisAI

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. Affected products include: Lenovo Xclarity Administrator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2016-8233 CRITICAL
9.8 Mar 01

Log files generated by Lenovo XClarity Administrator (LXCA) versions earlier than 1.2.2 may contain user credentials in

CVE-2017-3770 HIGH
8.8 Sep 22

Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 where an authenticated user may be able to abuse

CVE-2018-9066 HIGH
8.8 Jul 30

In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user can, under specific circumstanc

CVE-2018-9064 HIGH
8.8 Jul 30

In Lenovo xClarity Administrator versions earlier than 2.1.0, an authenticated LXCA user may abuse a web API debug call

CVE-2017-3745 HIGH
7.8 Jun 20

In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user

CVE-2023-3113 HIGH
7.5 Jun 26

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) ser

CVE-2019-6179 HIGH
7.5 Sep 03

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to vers

CVE-2018-9065 HIGH
7.5 Jul 30

In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file

CVE-2023-34420 HIGH
7.2 Jun 26

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted call

CVE-2016-8221 HIGH
7.0 Jan 12

Privilege Escalation in Lenovo XClarity Administrator earlier than 1.2.0, if LXCA is used to manage rack switches or cha

CVE-2017-3763 MEDIUM
6.7 Sep 22

An attacker who obtains access to the location where the LXCA file system is stored may be able to access credentials of

CVE-2024-45104 MEDIUM
6.5 Sep 13

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXC

Share

CVE-2023-34418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy